bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312

Analysis

max time kernel
149s
max time network
55s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
Size

392KB
MD5

38b852c6be04f9749115fb995490e08c
SHA1

79fd7395f28f37d9d38abfadc5a4c42d60c98079
SHA256

bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312
SHA512

d7d41b0c58fd18e14a0eb5ef3125acc1925910ecb368ed4615961cad0dcf4c61ca263d3fb875f182857165fb66713bef688075d3585e9ea5eedb419b559a6ead
SSDEEP

12288:st8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS2K:st+gvMpVij/F1hV5HuvAIQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
820	achsv.exe
1484	COM7.EXE
332	COM7.EXE
1108	achsv.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
820	achsv.exe
820	achsv.exe
1484	COM7.EXE
1484	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1804	reg.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
820	achsv.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
332	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1108	achsv.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE
1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
1484	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
820	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 820	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	27
PID 1380 wrote to memory of 820	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	27
PID 1380 wrote to memory of 820	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	27
PID 1380 wrote to memory of 820	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	27
PID 1380 wrote to memory of 1484	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	28
PID 1380 wrote to memory of 1484	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	28
PID 1380 wrote to memory of 1484	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	28
PID 1380 wrote to memory of 1484	1380	bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe	28
PID 1484 wrote to memory of 1804	1484	COM7.EXE	29
PID 1484 wrote to memory of 1804	1484	COM7.EXE	29
PID 1484 wrote to memory of 1804	1484	COM7.EXE	29
PID 1484 wrote to memory of 1804	1484	COM7.EXE	29
PID 820 wrote to memory of 332	820	achsv.exe	31
PID 820 wrote to memory of 332	820	achsv.exe	31
PID 820 wrote to memory of 332	820	achsv.exe	31
PID 820 wrote to memory of 332	820	achsv.exe	31
PID 1484 wrote to memory of 1108	1484	COM7.EXE	32
PID 1484 wrote to memory of 1108	1484	COM7.EXE	32
PID 1484 wrote to memory of 1108	1484	COM7.EXE	32
PID 1484 wrote to memory of 1108	1484	COM7.EXE	32

C:\Users\Admin\AppData\Local\Temp\bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe
"C:\Users\Admin\AppData\Local\Temp\bbba9aca20bc1f4c006489258d8b8f50a62ebaaa53a15d99b79fea2c68b13312.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:332
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
8b49f40f1ce3fe193d39b97029d5aba2

SHA1
77214670388e3c98bc8930046c8507aa347e12e4

SHA256
613353da00fbd5a080aededd50a5f2fcee2dad4a0984724809fd6bff70ee90a0

SHA512
c0f1a3477198c2b576366abfe56f2a40dfed40a3a8804d5303e5c9e5b588f8aff31f991b26488a3eecbeae91fa4ddf6c8d5abecdcc4579d3f6c12d276a3e803b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
8b49f40f1ce3fe193d39b97029d5aba2

SHA1
77214670388e3c98bc8930046c8507aa347e12e4

SHA256
613353da00fbd5a080aededd50a5f2fcee2dad4a0984724809fd6bff70ee90a0

SHA512
c0f1a3477198c2b576366abfe56f2a40dfed40a3a8804d5303e5c9e5b588f8aff31f991b26488a3eecbeae91fa4ddf6c8d5abecdcc4579d3f6c12d276a3e803b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
8b49f40f1ce3fe193d39b97029d5aba2

SHA1
77214670388e3c98bc8930046c8507aa347e12e4

SHA256
613353da00fbd5a080aededd50a5f2fcee2dad4a0984724809fd6bff70ee90a0

SHA512
c0f1a3477198c2b576366abfe56f2a40dfed40a3a8804d5303e5c9e5b588f8aff31f991b26488a3eecbeae91fa4ddf6c8d5abecdcc4579d3f6c12d276a3e803b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
404816a2a1eb4a85555099ceed14a2af

SHA1
1b5323c96401cd437103e89f7bcf2d69460c0c61

SHA256
ca5e5e62161dc1ce7d37250043ce94955ca7ceb66f9677390a02e4932c7aada1

SHA512
e2e8a4fd86423c14d324055e9b887372ca4e918bef71b4a839c791768f933674c584cff8ef6e1b8f7ed823cb5d7f23cffde6c2f22792eb886fc6716635a3d421

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
404816a2a1eb4a85555099ceed14a2af

SHA1
1b5323c96401cd437103e89f7bcf2d69460c0c61

SHA256
ca5e5e62161dc1ce7d37250043ce94955ca7ceb66f9677390a02e4932c7aada1

SHA512
e2e8a4fd86423c14d324055e9b887372ca4e918bef71b4a839c791768f933674c584cff8ef6e1b8f7ed823cb5d7f23cffde6c2f22792eb886fc6716635a3d421

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
404816a2a1eb4a85555099ceed14a2af

SHA1
1b5323c96401cd437103e89f7bcf2d69460c0c61

SHA256
ca5e5e62161dc1ce7d37250043ce94955ca7ceb66f9677390a02e4932c7aada1

SHA512
e2e8a4fd86423c14d324055e9b887372ca4e918bef71b4a839c791768f933674c584cff8ef6e1b8f7ed823cb5d7f23cffde6c2f22792eb886fc6716635a3d421

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
8b49f40f1ce3fe193d39b97029d5aba2

SHA1
77214670388e3c98bc8930046c8507aa347e12e4

SHA256
613353da00fbd5a080aededd50a5f2fcee2dad4a0984724809fd6bff70ee90a0

SHA512
c0f1a3477198c2b576366abfe56f2a40dfed40a3a8804d5303e5c9e5b588f8aff31f991b26488a3eecbeae91fa4ddf6c8d5abecdcc4579d3f6c12d276a3e803b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
8b49f40f1ce3fe193d39b97029d5aba2

SHA1
77214670388e3c98bc8930046c8507aa347e12e4

SHA256
613353da00fbd5a080aededd50a5f2fcee2dad4a0984724809fd6bff70ee90a0

SHA512
c0f1a3477198c2b576366abfe56f2a40dfed40a3a8804d5303e5c9e5b588f8aff31f991b26488a3eecbeae91fa4ddf6c8d5abecdcc4579d3f6c12d276a3e803b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
8b49f40f1ce3fe193d39b97029d5aba2

SHA1
77214670388e3c98bc8930046c8507aa347e12e4

SHA256
613353da00fbd5a080aededd50a5f2fcee2dad4a0984724809fd6bff70ee90a0

SHA512
c0f1a3477198c2b576366abfe56f2a40dfed40a3a8804d5303e5c9e5b588f8aff31f991b26488a3eecbeae91fa4ddf6c8d5abecdcc4579d3f6c12d276a3e803b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
8b49f40f1ce3fe193d39b97029d5aba2

SHA1
77214670388e3c98bc8930046c8507aa347e12e4

SHA256
613353da00fbd5a080aededd50a5f2fcee2dad4a0984724809fd6bff70ee90a0

SHA512
c0f1a3477198c2b576366abfe56f2a40dfed40a3a8804d5303e5c9e5b588f8aff31f991b26488a3eecbeae91fa4ddf6c8d5abecdcc4579d3f6c12d276a3e803b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
404816a2a1eb4a85555099ceed14a2af

SHA1
1b5323c96401cd437103e89f7bcf2d69460c0c61

SHA256
ca5e5e62161dc1ce7d37250043ce94955ca7ceb66f9677390a02e4932c7aada1

SHA512
e2e8a4fd86423c14d324055e9b887372ca4e918bef71b4a839c791768f933674c584cff8ef6e1b8f7ed823cb5d7f23cffde6c2f22792eb886fc6716635a3d421

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
404816a2a1eb4a85555099ceed14a2af

SHA1
1b5323c96401cd437103e89f7bcf2d69460c0c61

SHA256
ca5e5e62161dc1ce7d37250043ce94955ca7ceb66f9677390a02e4932c7aada1

SHA512
e2e8a4fd86423c14d324055e9b887372ca4e918bef71b4a839c791768f933674c584cff8ef6e1b8f7ed823cb5d7f23cffde6c2f22792eb886fc6716635a3d421

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
404816a2a1eb4a85555099ceed14a2af

SHA1
1b5323c96401cd437103e89f7bcf2d69460c0c61

SHA256
ca5e5e62161dc1ce7d37250043ce94955ca7ceb66f9677390a02e4932c7aada1

SHA512
e2e8a4fd86423c14d324055e9b887372ca4e918bef71b4a839c791768f933674c584cff8ef6e1b8f7ed823cb5d7f23cffde6c2f22792eb886fc6716635a3d421

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
404816a2a1eb4a85555099ceed14a2af

SHA1
1b5323c96401cd437103e89f7bcf2d69460c0c61

SHA256
ca5e5e62161dc1ce7d37250043ce94955ca7ceb66f9677390a02e4932c7aada1

SHA512
e2e8a4fd86423c14d324055e9b887372ca4e918bef71b4a839c791768f933674c584cff8ef6e1b8f7ed823cb5d7f23cffde6c2f22792eb886fc6716635a3d421

Download Submit
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download